For those unaware, VMware Log Insight, is VMware’s syslog monitoring and alerting platform. It collects and automatically identifies structure in all types of machine-generated log data (application logs, network traces, configuration files, messages, performance data, system state dumps, etc.) to build a high performance index for performing analytics, so you can find pertinent information quickly.

With that being said, I do a lot of Log Insight use and am a big fan of the Content Packs that provide 3rd party integration. After showing this to clients for the last few months and having them rave about the dashboards and alerting in Log Insight, I decided to dedicate a post to configuring and using the Cisco ASA Content Pack for Log Insight.

The VMware Log Insight – Cisco ASA Content Pack provides new visibility, insight and alerting capabilities into firewall events, successful and denied connections, top source and destination dashboards for websites, bandwidth consumers, mail, chat, streaming, VPN connections and more. For a full overview of VMware Log Insight capabilities, check out the technical marketing material on the product site at https://www.vmware.com/products/vrealize-log-insight.html.

To configure your Cisco ASA for use with VMware Log Insight:

Log into the Cisco ASA and enter configuration mode

Configure the logging host

Configure the logging trap level

Configure the logging facility level

Save the configuration

#logging host inside ip.of.log.insight

#logging trap informational

#logging facility 20

After configuring your ASA for use with Log Insight, you need to install the Cisco ASA Content Pack for Log Insight by clicking on the menu, which is the icon with three lines to the right of the username in the upper-right, then click Content Packs and then click on the Marketplace navigation on the upper-left of the screen as shown below. Find the Cisco ASA icon in the Log Insight Content Pack Marketplace and click it to install it.

After you’ve installed the Content Pack, log out of Log Insight and log back in. Navigate to the Content Pack Dashboards and click on the Cisco ASA Overview link.

The Cisco ASA Overview dashboard provides you with dashboards of All ASA Events over time with a histogram, a breakdown of events grouped by device, events by class and severity level, as well as, top destinations and sources. From here you can click on any graph and click Interactive Analytics to see a filtered view of the actual log events.

As you can see in the Interactive Analytics view of ASA events grouped by severity level, the Cisco ASA firewall is denying connection attempts for telnet to the outside interface of the firewall. The next thought is, “…geez, VMware, I wish I could easily setup an email alert for this filtered event on my Cisco ASA”. Well, I’m happy to add that WE CAN SETUP ALERTS IN LOG INSIGHT! YES!

Let’s take a look at how we setup a Log Insight alert for an event from our Cisco ASA.

To add an alert for Severity 3 events, go into the Interactive Analytics view for ASA events grouped by severity 3.

Click on Alerts, which is the red bell icon to the upper-right and then click on Create Alert from Query.

Fill in the New Alert form providing the name, description and recommendation, an email address or alias and then the criteria for the alert. You can match on any instance of an event, when an event is seen for the first time in the last x hours, or by how many occurrences happen in a given period and by group if desired. In any case, for this alert, I’d like to know anytime it’s more than one occurrence in five minutes.

Now that we’ve set an alert in Log Insight for our Cisco ASA, let’s take a look at some of the dashboards and information that the Content Pack provides visibility into.

Navigate to Denied Connections under the Cisco ASA Content Pack and you’re greeted by a dashboard of Top Denied Destinations, Top Denied Sources, Top Denied Protocol Groups and Top Denied Websites. Each of these can be drilled down into by right-clicking on a graph section and clicking Interactive Analytics to see the data. The Top Denied Sources is quite useful to determine where attacks are originating and can quickly provide you with a list of sources to take action on.

The Successful Connections Dashboard shows some really useful views of Top Accessed Destinations, Top Websites, a list of Latest Successful Connections and a graph of Reasons for successful TCP teardowns.

Besides looking to see that Facebook, Hulu or Youtube is probably the top accessed website from your firewall, the Latest Successful Connections is a great way to see if a new firewall rule or configuration change is working for clients accessing a new site or the like.

Clicking on the Traffic Overview dashboard reveals a fantastic histogram graph of bandwidth usage, which can be useful for forecasting and planning. The middle of the screen shows a graph of Top Connections With High Bandwidth Usage, to see who the big consumers are. Once again, you can drill down on any of those users to see what was being used. The user in this graph is my son’s Chromebook and I’m sure the bandwidth usage is from Youtube, no doubt. …was there any doubt? /grin

Lastly, the VPN Activity dashboard is great for analyzing past and for alerting on current VPN events. You can setup alerts for failed VPN connection attempts, which is always something to keep an eye on.

Wrapping it up, there’s quite a bit that VMware Log Insight can do for Cisco ASA users. The alerting capabilities for ASA events make Log Insight a great solution for environments where it’s deployed, as the Content Pack is free of charge, easily deployed and provides new visibility and “insights” into what’s happening on your ASA. …with or without you knowing. /grin

Share this:

Like this:

Estimating the time needed for NSX upgrades and maintenance windows has been a topic that’s needed attention for some time now. Many of the VMware NSX field engineers know from experience how long an NSX upgrade may take based on environment size, but I’ve found that there’s little documentation around how to determine the time required to perform an upgrade, based the size of the environment.

VMware NSX-v upgrades are performed in order of NSX Managers, then Controllers, onto Edge Gateways and then the vSphere hosts themselves. So, a good method of determining how long an upgrade will take, is by calculating all the individual component upgrade times, adding some buffer for the unexpected and then summing it all up. I’ve detailed the NSX upgrade process here in a previous blog post, with step-by-step screenshots, to provide you with what to expect. Official VMware NSX documentation should be used to perform the actual upgrade.

*As a special note, NSX-t upgrades are done in reverse order, starting with hosts / transport node first and then on to Edge Gateways, Controllers and then NSX Manager

After performing a fair amount of upgrades in the field, NSX Managers and Controllers have been very reliable in terms of component upgrades. Edge Service Gateways in an HA pair, on occasion, will fail an NSX component upgrade, but the resolution of powering the VM off, powering it back on, waiting for services to start and then retrying the upgrade, has been fairly quick remediation.

NSX component upgrade times as follows:

NSX Manager – 30 minutes

NSX Controller – 5-10 minutes (each)

NSX Edge Service Gateway – 15 minutes (each)

NSX vSphere Host – 15 minutes (each)

*Ensure to add time for DRS evacuations and reboot to each host time if applicable. NSX host upgrades after 6.3 are reboot-less, but evacuation still applies.

Each of these times have a small buffer for testing return to service of each component. Conditions can vary based on load and scale. If you have a test NSX deployment, you’ll be better able to see how your environment performs and tune in times a bit closer doing a dry run there. Disk I/O and performance on the Manager and Edge VMs take a fair amount of time, but the number of NSX vSphere upgrades are usually the biggest single factor in upgrade times. Remember, host density and host memory have a lot to do with estimating NSX vSphere upgrade times. Hosts with high VM densities can take in excess of an hour to evacuate and physical servers with >1TB of memory take quite a bit of time to “count up” at BIOS boot. All things to consider and add in to your estimate.

Here’s an example time estimate calculation for an NSX 6.3 upgrade on a five (5) host cluster:

NSX Manager (1) – 30 minutes

NSX Controller (3) – 30 minutes

NSX Edge Service Gateway HA Pair (2) – 30 minutes

NSX vSphere Hosts (5) – 75 minutes

The estimated time for this example would be 165 minutes or 2 hours and 45 minutes, which is very close to the actual 2.5 hours it took to perform the upgrade in this lab. As I mentioned, make sure to check out the preview of the upgrade and (please) use the official documentation to create your upgrade “runbook”. As always, opening a support ticket with VMware support containing the version details of your upgrade, number of components, and an architectural drawing will greatly reduce the time needed to engage support, should you need it.

Like this:

This question comes up with clients and coworkers alike all the time, so I figured I’d do my best to disseminate the information a bit further into the “inter-webs”.

The question of why vCenter shows 0 (zero) NSX licenses in use is greatly due to the fact that VMware NSX is not tied to vCenter in all versions, like NSX-T or NSX-MH, versus NSX-V. VMware NSX-V is of course the vSphere based version of NSX, MH the “multi-hypervisor” version and “T”, “Transformers” for bare-metal or cloud-based container environments and the like.

VMware NSX Editions

With the release of NSX 6.2.2, VMware introduced 3 different license editions; Standard, Advanced, and Enterprise. These license editions allow you align NSX with your company’s use case.

Advanced Edition: Standard Edition plus a fundamentally more secure data center with micro-segmentation. Helps secure the data center to the highest levels, while automating IT provisioning of security.

Since there are many versions of VMware NSX that are not vCenter-based, the use of vCenter licensing is inherently useless. Thus, VMware NSX licensing is displayed in the VMware NSX Manager interface.

Per the documentation, the NSX capacity usage calculation method only reports for clusters prepared and enabled with DFW and VXLAN. CPU count is number of CPUs (sockets) of all prepared hosts. VM count and Concurrent Users is the count of all powered on VMs in the cluster. This VM count does not include system VMs (service VMs, partner VMs, edge appliances, etc).

NSX usage is reported correctly under the NSX Manager in NSX vSphere Webclient Plugin. **Please note under license management in VC the NSX license will report Usage as ZERO**

vShield Endpoint License in NSX 6.2.4

vShield Endpoint is a component of vCloud Network and Security (vCNS). This component allows you to offload antivirus and anti-malware agent processing to a dedicated secure virtual appliance. With the release of NSX 6.2.4, the default license is NSX for vShield Endpoint allowing you to manage your vShield Endpoint environment with NSX. Customers who purchased vSphere with vShield Endpoint (Essential Plus and above) will be able to download NSX. This means that NSX will appear on the vSphere download site, just like vCNS does today. To ensure customers do not use any other unlicensed NSX features (eg. VXLAN, DFW, Edge services), the license key will have hard enforcement to prevent NSX host preparation and block Edge creation. If you require an evaluation license key, please request this through VMware sales.

If you have questions regarding VMware NSX licensing, auditing of licensing or the like, please contact your VMware account team or NSX Technical Account Specialist.

Share this:

Like this:

About Me

Mr. Hinderer has over 18 years of experience in the architectural design and management of mission critical systems and infrastructure. He currently serves as a Staff Technical Account Specialist at VMware, focusing on enterprise VMware architecture, design and project leadership for software defined networking and security.